Over two decades ago, Alphabet CEO Eric Schmidt noted, “The Internet is the first thing that humanity has built that humanity doesn’t understand, the largest experiment in anarchy that we have ever had.”
This ongoing experiment in internet anarchy is at an inflection point. Significant technological shifts such as 5G, artificial intelligence, and the internet of things offer great potential for ground-breaking societal innovations. At the same time, these same technologies enable governments across the globe to seek complete information and societal control within their borders through internet sovereignty.
The future of the internet, and therefore cybersecurity, is at a critical juncture. The battle over information control is already in full gear. Bots now comprise over half of internet traffic, deep fakes and voice mimicry will augment any disinformation campaigns and foment chaos. Data compromises continue to top previous records. A proliferation of attackers, tactics, and techniques continue to transform the threat landscape, and no target is off limits. Data integrity is at risk as disinformation campaigns seek to influence hearts and minds across the globe, while automation and artificial intelligence enable both global reach and tactical precision.
To manage this risk, the global regulatory landscape is further altering the risk calculus. Within this chaotic and rapidly changing environment, a Balkanization of the internet, or Splinternet, is emerging based on two dominant frameworks: digital authoritarianism and an emerging democratic blueprint. As Amy Zegart recently noted, Team Autocrat is winning. Before exploring a counterweight to this trend, and looking at the innovative opportunities ahead, it is essential to first understand the core components of digital authoritarianism and its impact in restructuring cybersecurity and the future of the internet.
Digital Authoritarianism: The Playbook
While it is a common refrain that policy, law, and ethics lag behind technology, this is not necessarily the case for authoritarian regimes. Freedom House recently highlighted this diffusion of digital authoritarianism as the core threat to internet freedom, with direct implications for fundamental human rights and conflict globally. The authoritarian playbook is a holistic cyber strategy that marries cyber attacks, disinformation, and automation and machine learning. While each of these is often treated as independent silos, they comprise the digital authoritarian playbook, which is increasingly adapted by both state and non-state actors. This playbook — comprised of bots, trolls, and warriors as the leading cast of characters — is already contributing to global instability and significant power shifts, and will do so for the foreseeable future with even more profound impact as it proliferates.
The first main characters in the authoritarian playbook are cyber warriors — experts in computer network exploitation. The growing reach and impact of cyber attacks is thanks in large part to a proliferation of these attackers and their capabilities.
While most rightfully think of China, Great Britain, Iran, Israel, North Korea, Russia, and the U.S. as having either the most sophisticated or most prolific cyber warriors, a growing number of governments are getting into the action as well, often targeting domestic populations and corporations. For instance, a spyware campaign has been linked to the Mexican government as part of an effort targeting journalists and NGOs. Vietnamese government linked groups have similarly been accused of carrying out attacks against companies, journalists, and foreign governments, including in Germany, the U.S., and China. Sudan has the Electronic Jihad group to ostensibly counter ISIS, including hacking WhatsApp, but involves larger domestic computer and cell phone surveillance against government dissidents. They are not unique in Africa, from Ethiopia to Gambia many more countries similarly are leveraging the internet for surveillance.
Each of these cases is symptomatic of the growth of smaller countries leveraging cyber espionage and digital offense against both economic and national security rivals. Importantly, authoritarian governments do not have the monopoly on this playbook, with the private sector adopting some of the practices, and even offering these interference tactics as a service.
At the same time, anti-government cyber warriors are pushing back, such as Venezuela’s Binary Guardians, who have attacked government sites. Ukraine’s RUH8 — roo hate — is indicative of Ukrainian hactivists or patriotic hackers digitally countering the range of Russian digital attacks. These groups are indicative of the growth of non-state cyber warriors, which will only continue to expand into the future. From terrorist groups with mainly ideological objectives to criminal groups seeking financial gain and profit to the mercenaries who are funded by nation-states for geopolitical gain, technology is shifting power structures. Thanks to the asymmetric nature of cyber attacks, actors with limited resources can have an outsized impact.
Whether state or non-state actors, cyber warriors have a growing range of tools and tactics at their disposal. They deploy the same, tried and true techniques such as phishing, malware, and various exploit kits, but ransomware continues to wreak havoc, especially for cities. Cryptomining skyrocketed in 2018 — where attackers may hijack a computer to mine cryptocurrencies — and illustrates the vulnerabilities in these new digital currencies. Wiper malware has also increasingly become a warrior favorite, and reflects the evolution from recon to more destructive objectives. In short, there is no one size fits all, and thanks to the proliferation of open source capabilities — such as through the Shadow Brokers and Vault 7 dumps — the number of open source tools and exploits available to both state and non-state cyber warriors is only growing.
While warriors focus on compromising machines, trolls focus on compromising hearts and minds, and they are similarly proliferating across the globe. The Russian trolls of the Internet Research Agency are well-known and discussed in the U.S., but their reach extends at least across Europe as well. They aim to augment societal tension and instability to the advantage of the Russian government through a combination of state-owned media with social media outlets. But they aren’t the only ones. China also has the Fifty Cent Army of government-affiliated workers pushing forth positive narratives about the government and the United Front Group spreading disinformation favoring Chinese strategic objectives. China has also learned from Russian election interference, and similarly has the targeted election overseas, including in Cambodia and Taiwan.
Other governments are quickly adapting these techniques as well. Turkey’s AK Trolls, the social media team affiliated with the ruling Justice and Development party, focus on drowning out critiques of the government, often in conjunction with bots. Rodrigo Duterte, president of the Philippines, has a keyboard army aimed to spread propaganda and drown out critics of the government. Iran, more often discussed for their cyber troops than troll armies, has been connected to global disinformation campaigns, including creating fake personas who target corporate executives in critical industries in the Middle East, U.S., and Europe.
The creation of fake persona or accounts is just one of many tactics deployed by trolls. Another favorite troll tactic is astroturfing — replacing negative narratives with positive ones about the government seemingly from grassroots sources — which results in distinct form of censorship of legitimate information. In contrast, disinformation, the practice of deliberately spreading false information to deceive, is the most commonly discussed tactic. Another favorite tactic is computational propaganda, which refers to the use of algorithms, automation, and human curation to purposefully distribute misleading information over social media networks. We’ve seen prominent examples of each of these, ranging from praising the government or censoring dissent during catastrophes, using false information to justify the use of force, to undermining media as a direct affront on democracy.
Of course, disinformation and espionage existed before the internet, so it’s no surprise even more sophisticated versions exist in the virtual world. The distinction now is the role of automation and the emerging applications of artificial intelligence (AI). For the purposes of the authoritarian playbook, bots serves as an umbrella term addressing the implementation of automation, machine learning, and AI by trolls and warriors, and manifests in everything from DDoS to malvertising to ransomware fueled by propagating worms to social bots.
The reach of bots continues to expand significantly year over year. 2016’s Mirai Botnet — a self-propagating botnet virus — impacted 400 thousand internet of things (IoT) devices such as webcams and routers and took down major social media sites, as well as internet access across sections of the East Coast. That attack paled in comparison to the recent targeted DDoS attack against GitHub, which clocked in at 1.35 terabit-per-second and exploited spoofed IPs, or the BrickerBot which impacted over ten million machines in 2017.
Bots also impact the reach of malvertising. The 2017 Great Fireball adware hijacked 250 million machines, including one in five corporate networks. Bot-powered malvertising campaigns can now reach over hundreds of millions of machines by a single individual, while automation-powered ad fraud is expected to reach $44 B by 2022.
Self-propagating worms, such as WannaCry, NotPetya, and BadRabbit, have also achieved global reach thanks to automation. NotPetya, a ransomware with a wiper malware component, was one of the most destructive attacks. It originally targeted Ukrainian infrastructure, but thanks to the self-propagation, companies across the globe became collateral damage, costing both FedEx and Merck upwards of $300M each. Their impact remains evident today. Several years after WannaCry affected hundreds of millions of machines, a million computers remain vulnerable.
The trolls similarly benefits from automation and machine learning as they target specific subsets of the population, generally through social media, to optimize the impact, and achieve widespread reach. For instance, Russian-language bot activity targeting NATO exercises demonstrates the ability to integrate both tactical targeting as well as widespread automation. Ecuador has internalized this playbook as well, spending millions on malware and troll armies to foster pro-government narratives, reflecting the growing diffusion of this model.
Looking ahead, the playbook will increasingly integrate bots, trolls, and warriors to achieve an effect. Whether the 2017 French election, the Qatar boycott, to augmenting Venezuelan instability, this playbook will only continue to innovate and achieve even more significant impact.
Legislating Information Control
While bots, trolls, and warriors remain foundational to the playbook, authoritarian regimes also are leveraging localized data laws to further control information flows within their borders. China’s Great Firewall, a term first dubbed in 1997, is the most prominent example of a country’s attempt to control information and data flows within its borders. The Great Firewall aims to censor and control information within China’s borders through a combination of legislative policies as well as technical solutions, such as URL filtering that denies access to certain sites and blocking Virtual Private Networks (VPN). It has sparked similar aspirations in Iran, Russia, and Venezuela for internet autarky.
Data localization — data storage within sovereign borders — is also a core contributor to a fractured global internet. By requiring data storage domestically and unrestricted data access, governments seek greater control over individuals and information within their borders. Increasingly, many of the new data localization policies (e.g., new laws in Vietnam and Thailand) fall under broader cybersecurity legislation that also involves elements of censorship, especially with regard to controlling anti-government rhetoric.
Many of these new data laws offer a glimpse into what’s coming over the next decade. For instance, Turkey has the Law on the Protection of Personal Data, which limits the transfer of personal data out of Turkey, requiring some local data storage. Iran similarly has local data storage requirements, as do a growing majority of countries across the globe, each with disparate requirements across a broad range of data localization approaches.
This is the new authoritarian playbook. Thanks to its diffusion, it is already significantly impacting economic growth, democracy, security, and innovation. The emergence of 5G, artificial intelligence, quantum computing, internet of things, and cloud computing will only add to this complexity. This emerging cybersecurity frontier comes with great challenges, but also great opportunities. Let’s now turn to what democracies can and are beginning to do to counter this playbook within this increasingly complex and dynamic regulatory and threat landscape.
An Emerging Democratic Blueprint for Security and Privacy
Democracies are playing catch-up when it comes to countering the authoritarian playbook. Senator Mark Warner (D-VA) noted, “We have failed to recognize that our adversaries are working with a totally different playbook…We are allowing other nations to write the playbook on cyber..” These points are echoed by Senator Ben Sasse (R-NE) who noted, “We don’t have a playbook. It’s time to draft one.”
While the United States debates how to counter this playbook, in 2018 the European Union took one of the most significant steps aimed at data protection. The European Union’s General Data Protection Regulation (GDPR), which came into effect in May 2018, reaches beyond its borders to establish a democratic, if hotly debated, baseline for individual data security and privacy. While it takes a more prescriptive approach than the United States, it nonetheless reflects democratic norms that are absent from the authoritarian models.
The GDPR is a far-reaching data protection framework that impacts everything from marketing to artificial intelligence to breach notification. At a quick glance, the GDPR may seem equivalent to the data localization and sovereignty laws referenced with regard to the authoritarian playbook. They do both focus on data access that differs by regulatory regimes. However, there are (at least) two core distinctions. First, the GDPR does not require local storage. The EU was created to facilitate cross-border flows of capital, goods, and people, which remains a motivating mission with cross-border digital flows as well. Local data storage would be anathema to this foundational objective. Instead, as described in Article 44, the GDPR requires data protections for the data of EU citizens, wherever it goes.
Second, they differ dramatically based on intent. The data localization laws of authoritarian regimes are often accompanied by data access requirements and are meant to empower governments with the ability to access any data within their borders. In contrast, the GDPR reflects the political and economic union of 28 democratic members, reinforcing some of the values and norms of individual freedoms, privacy, and human rights that are foundational to the EU.
With that objective in mind, the GDPR maintains a strong emphasis on individual data protections, which includes personally identifiable data (PII), but extends to content about an individual. Key data protection features within the GDPR includes the right to erasure (aka the right to be forgotten), and the right for an individual to access their data and to rectify incorrect data.
In contrast, the United States has historically taken a light-touch regulatory approach, focusing attention on industries with greater perceived risks, and too often maintaining a reactionary stance in managing the digital policy innovations from abroad. Many industries, such as healthcare and finance, have established sector-specific approaches to data protection and privacy, and even within those sectors there are distinct protocols that provide additional complexity to the patchwork of regulations. And absent a comprehensive national policy framework, various U.S. states are implementing their own data protection legislation.
However, this may soon change as U.S. public opinion has shifted dramatically over the last year in on data protection and privacy, with many favoring stricter regulation of the tech giants. This makes U.S. federal data privacy legislation increasingly likely within the decade, if not within the next few years. In fact, both political parties have recently introduced their own version of a federal privacy bill. If done well, a U.S. federal privacy framework could play a pivotal role in providing global leadership focused on protecting individual data rights and privacy, while prompting greater innovation. By elevating the role of privacy and data protection, the U.S. could reassert soft power and introduce a framework and aspirations for governments and populations across the globe. However, even if done well, a data protection law is not enough. More is needed, which is the topic of the final section.
A Socio-Technical Look at the Future of Cybersecurity
Looking ahead, cybersecurity will be equally impacted by technological innovation as well as geopolitics. It is a socio-technical system and must be analyzed as such. Starting with technology, artificial intelligence will shape the new frontier and impact everything from IoT to nuclear defenses. This knowledge frontier will further be augmented by 5G and the rapid streaming of data of any size and type, as well as the ability of cloud-computing to store these zettabytes of data. These are generally discussed in future forecasts of cybersecurity. Instead of reiterating these well-trodden areas, it is instead useful to focus on three core areas that deserve additional attention: a growing emphasis on usable security and privacy, the emerging frontier of digital transformation, as well as the current fracturing of the worldwide web. This section will address each of these in turn.
Usable Security and Privacy
As an industry, cybersecurity lags behind other industries in the area of usability. The requirement to manage an endless list of complex passwords alone is proof that usability has been an afterthought for the industry. From new forms of authentication to more intuitive privacy settings, intuitive interfaces and responsiveness will be a driving factor in making security and privacy accessible to the masses.
As digital authoritarianism continues to spread to state and non-state actors, privacy will become a competitive advantage in the global marketplace, and usability will be core to this advantage. Corporations already attempt to ‘out-privacy’ each other, but this is often more talk than action currently. In the future, privacy prioritization will be essential to compete, thus instigating greater cyber security innovation, especially in the area of usability.
Trust but Verify
This new innovation is long overdue. The perimeter mindset — focused on firewalls, a static network environment, and external threats — remains all too common despite the growing attack surface and a business environment reliant on bring your own device (BYOD) and cloud computing. This is beginning to change toward a zero-trust approach, which focuses on additional verification layers based on granular and segmented privileges, and entails an overarching emphasis on persistent verification to access to data and folders or lateral movement within a network. With a zero-trust mindset, security that travels with the object is essential and is already sparking innovative solutions that break the perimeter mindset mold.
The success of this mindset will yet again rest on usability features. If new security solutions interfere with the normal workflow, users will simply find a means to circumvent them. This is why encryption — one of the most foundational means to secure data — lacked significant implementation until applications made it part of the natural workflow. Usable security and privacy must accompany a zero trust approach for it to succeed.
The Growing Splinternet
As internet penetration continues to increase across the globe, it would be a mistake to assume the online experience — or level of security — will be uniform. The notion of a ‘borderless internet’ emerged in the 1990s and continues to shape assumptions about the future of the internet. Unfortunately, it’s a completely false premise. Thanks to the emerging data regulations and cybersecurity laws, the internet is fracturing and will continue to do so over the next decade. We have already addressed the data localization and protection laws instigating this fracturing, but cyber norms and encryption will both further impact the depth of the Splinternet, as will the role of corporations in inserting global policy across each of these.
For over a decade, the United Nations Group of Governmental Experts (GGE) debated the creation of cyber norms — those informal standards of appropriate behavior in cyberspace. The main objective was to tame the anarchy of cyberspace with some foundational agreement specifying what behavior was unacceptable. Proposed guidelines ranged from non-intervention in critical infrastructure in peacetime to non-interference in cybersecurity emergency response teams.
These negotiations collapsed in 2017, along the ideological divide of regimes favoring cyber sovereignty — the right to control information within its boundaries — and those preferring a free, open, secure approach, and thus reinforcing notions of a digital iron curtain. This divide was further entrenched at the end of 2018 when both Russia and the United States introduced competing resolutions that would create working groups to identify new cyber norms.
Absent significant progress from the United Nations, corporations are stepping in to define global norms and shape the rules of the road. For instance, Microsoft introduced ‘A Digital Geneva Convention’ concept to protect against the range of offensive attacks, and has garnered over 30 signatories from high-tech companies. Siemens has similarly introduced a Charter of Trust focused on supply chain standards and has over a dozen of the world’s largest companies as signatories, while two government authorities have also joined its ranks. This convergence of the private sector and governments will only continue, as the Paris Call for Trust and Security in Cyberspace and the Global Commission on the Stability of Cyberspace demonstrate, each of which have significant contributions from the private and public sectors. The Paris Call has over 450 signatories, including 100 countries and private sector tech giants such as IBM, Cisco, Facebook, and Google.
Of course, these efforts are in sharp contrast to those put forth by authoritarian regimes such as China and Russia. How these norms diffuse, and who is shaping them, has significant implications for cybersecurity and defense postures across the globe.
Data Security and Privacy Postures
Just as global norms reflect an ideological fracturing, this divide is also growing thanks to various approaches to security and privacy. We already covered the regulations that are prompting part of this global fracturing. Looking ahead, how governments handle encryption may well further deepen the Splinternet. Encryption has been around for decades, but over the last few years has been under attack by both authoritarian regimes and democracies.
End-to-end encryption is one of the few security measures that is not cost-prohibitive and is increasingly usable for non-tech aficionados. However, a growing global effort exists to weaken encryption, including by authoritarian regimes such as China, Russia, and Iran. For instance, in 2018 Russia attempted to ban the messaging app, Telegram, following its refusal to hand over encryption keys, and accidentally took banks and online stores and services offline. Following this debacle,one state-run media source argued that the end of globalization is here, and “all countries will build virtual borders … it’s inevitable, and it’s very good for all of us.”
Like other authoritarian strategies, this digital strategy has spread. Malawi requires government approval of encryption keys, while China requires local encryption key storage. Turkey linked anyone using ByLock, an encryption-based messaging app, to coup involvement, while India is exploring a law to require a backdoor, targeted at WhatsApp. German leaders have requested similar access to encrypted content, while Brazil continues to go back and forth on banning WhatsApp and its end-to-end encrypted services. The United States, Australia, Canada, New Zealand, and the United Kingdom, issued a joint statement introducing their intent to seek lawful access to encrypted content. Australia made good on this promise a few months later, passing a contentious law requiring access to encrypted content. Based on a discussion at the National Security Council in June 2019 and the latest comments from Attorney General Barr, the United States may soon follow soon suit.
These policies that weaken security pose significant risk to businesses and individuals. This combination of data storage requirements and data access through weakened encryption should increasingly inform corporate cyber risk assessments over the next decade.
The dominant paradigms in cybersecurity are ‘assume breach’ and ‘privacy is dead.’ This nihilistic attitude is understandable given the proliferation of the authoritarian playbook coupled with the monetization of data. While there is a sense of acquiescence when it comes to the loss of privacy and data protection, doing nothing is not an option. There is too much at stake.
The future of the internet is at an inflection point, one that is intertwined with geopolitics, the new frontier of emerging technologies, individual freedoms, and a global, interconnected economy. The fracturing of the internet is already well underway with divides that are only likely to grow in the next ten years.
If crisis breeds innovation, expect some significant cybersecurity innovations over the next decade. With so much at stake, the challenges are great, but so too are the opportunities. Innovative security and privacy solutions are beginning to emerge to counter digital authoritarianism in favor of aspiring toward the original aspiration of a free, open, and secure internet.
All Rights Reserved for Andrea Little Limbago